Failure when trying to run application release ver

Compiled release version of my app and copied the bundle over to another machine for testing. Crashes with this:

Dyld Error Message:
  Library not loaded: @rpath/libxxx.dylib
  Referenced from: /Users/USER/Downloads/*/ndncon.app/Contents/MacOS/ndncon
  Reason: no suitable image found.  Did find:
    /Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/../Frameworks/libxxx.dylib: code signature invalid for '/Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/../Frameworks/libxxx.dylib'

I ran verifications:

$ codesign -vv --deep-verify /Users/remap/Downloads/ndncon2-testing/ndncon.app 
/Users/remap/Downloads/ndncon2-testing/ndncon.app: valid on disk
/Users/remap/Downloads/ndncon2-testing/ndncon.app: satisfies its Designated Requirement

and

$ codesign -dvv /Users/remap/Downloads/ndncon2-testing/ndncon.app 
Executable=/Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/ndncon
Identifier=ucla.edu.ndncon
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=8819 flags=0x0(none) hashes=434+3 location=embedded
Signature size=4688
Authority=Mac Developer: g....n@gmail.com (H79XXXX834)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Dec 1, 2016, 12:51:19 PM
Info.plist entries=26
TeamIdentifier=XXXXXXXXX
Sealed Resources version=2 rules=12 files=44
Internal requirements count=1 size=180

and finally,

$ sudo spctl --assess -v /Users/remap/Downloads/ndncon2-testing/ndncon.app 
/Users/remap/Downloads/ndncon2-testing/ndncon.app: accepted
override=security disabled

Not sure why it complains about 1) internal dynamic library and 2) why it complains at all?

We've been dealing with this for the past couple days and finally figured out the issue. Although you don't mention it in the question I'd strongly suspect you are running into this on OS X Yosemite 10.10.5

The issue is that you [quite likely] need to have a sha1 hash in your code signature on Yosemite and you only have a sha256 hash. The codesign utility inspects the binary's deployment target [LC_VERSION_MIN_MACOSX] to detect if it needs to include a sha1 or just sha256 and signs appropriately. For whatever reason "codesign -vv" on Yosemite is incorrectly reporting a valid signature when it obviously is failing.

Of note - this isn't an issue on earlier versions of OS X because library signatures aren't validated until Yosemite.